Brute Force
Objective
Your goal is to get the administrator’s password by brute forcing. Bonus points for getting the other four user passwords!
Security Level: Low
The application provides us with two input fields in order to enter the username and the password.
Let's enter admin
as both.
Let's intercept the request in Burpsuite.
We can now forward this request to the Intruder
to automate the attack.
After adding a field to the password, we can move on to setting up the substitution payload.
For the payload type we want a simple list, more specifically the darkweb2017-top100.txt
passwords lists from the seclists
collection.
Before we start the attack there is something important that we have to do.
In the Options
tab, we can set the string to grep for.
We can set it to the following:
Username and/or password incorrect.
Let's start the attack.
We can immediately see that the response for password
did not include the string.
Let's take a closer look at the response.
We can see that it greets us with a welcome message. This means that the password is password
.